This site uses cookies to deliver our services and to show you relevant ads and job listings.
By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our Terms of Service.
Your use of Stack Overflow’s Products and Services, including the Stack Overflow Network, is subject to these policies and terms.

Join us in building a kind, collaborative learning community via our updated
Code of Conduct.

I know there are a lot of questions concerning CORS already but they don't seem to answer my question.

So I have a client app written in AngularJS which will be used to create a mobile app (with Apache Cordova). The html files and JavaScript files will be loaded from the mobile device.
When I simulate that and I send requests to the REST API server I first got
"No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:82' is therefore not allowed access".
So I added header("Access-Control-Allow-Origin: *"); in my php REST API Server. I cannot specify a specific domain as the requests will come from the mobile devices.

Now I got to "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true."

I finally found a solution but I'm not sure it is safe to keep it like this.

Not sure if you know or not, but "credentials flag is true" doesn't refer to an Access-Control-Allow-Credentials: true header on the response -- it refers to request.withCredentials = true. (stackoverflow.com/questions/34078676/…)
– AndyFeb 17 '17 at 17:37

1 Answer
1

Response should only have the accepted headers in Access-Control-Allow-Headers, don't use wildcard.

As far as it being safe, note the comment from @Jules in this post about CORS:

Note that sending the HTTP Origin value back as the allowed origin
will allow anyone
to send requests to you with cookies, thus potentially stealing a session from a user
who logged into your site then viewed an attacker's page. You either want to send '*'
(which will disallow cookies thus preventing session stealing) or the specific domains
for which you want the site to work.

As described "Access-Control-Allow-Origin: *" does not work. I do need the cookies and combination of "Access-Control-Allow-Origin: *" and sending cookies seems not to be allowed.
– mvermandOct 16 '14 at 19:23

Thank you for your update, it is clear! Though, a few more questions: 1) I guess I need to send the Authorization header on each request, or another token that can be used to identify / recover the session in the backend? 2) I guess I need to store the token in a custom cookie (through JS) or local-storage to survive a browser reload, right? 3) I guess this all is less secure than a HttpOnly cookie to handle the authentication, right? I guess the token might be hacked more easily than with a HttpOnly cookie...
– mvermandOct 17 '14 at 9:28